The ability to retrieve historical WHOIS information can be essential for the cybersecurity community, particularly when it comes to threat hunting and cybercrime investigation. This investigative capability is highlighted in our latest downloadable white paper “Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts” where we analyzed thousands of verified phishing hosts and their historical WHOIS records.

The research conducted in this paper led to various findings, including the below ones:

• Available domains may have a malicious WHOIS history. Just because a domain is available for registration doesn’t mean that it has never been used.
• Phishing actors can use both newly registered domains (NRDs) and older domains with deep WHOIS history, although our data revealed more of the latter.
• WHOIS history can bring to light otherwise hidden breadcrumbs that can be used for further investigation.
• All TLD registries and registrars are prone to phishing and other forms of domain abuse.

This post elaborates on those main findings and highlights some of the identified trends regarding the ownership history of phishing domains.

Most Phishing Domains Have Deep WHOIS History

Recent indicators of compromise (IoCs), such as those connected to the SolarWinds attack, tell us that threat actors can evade common NRD detection by using older domain names. The WHOIS history analysis of almost 4,000 domains connected to verified phishing URLs revealed a similar trend.

More precisely, about 32% were less than a year old at the time of PhishTank reporting, 24% were 1—5 years old, 14% were 6—10 years old, 7% were 11—15 years old, and 6% were more than 15 years old. In total, over 50% of the domains were more than a year old, with an average of 11 historical WHOIS records each.

Available Domains May Have a Malicious WHOIS History

The white paper revealed that 46% of the domains in our dataset were available for registration as of 17 November 2021. On the other hand, 54% were unavailable. That means their registrants never dropped them, or they were re-registered at some point between June 2020 and November 2021.

Still, the fact that almost half of the malicious domains went through the normal domain expiry cycle indicates that they could be registered again, either for legitimate or malicious purposes. Below are a few examples of verified phishing domains targeting PayPal and Steam that are available for registration (as of 17 November 2021).

A possible reason behind the presence of these zombie domains can be the lack of a standard way to report and address malicious domains across registries and registrars.

Following the Breadcrumbs

Of the 1,421 unique registrant email addresses used in the initial domain registration, 822 were unredacted. While some could be aliases or temporary email addresses, historic reverse WHOIS still yielded 5,151 unique domains.

At this point, we went beyond the white paper’s initial findings and checked for maliciousness among the related domains. We found 70 domains flagged as dangerous by malware engines, including the following:

• btcfxtrades24[.]com
• find-apple-apple[.]com
• getsupportnowprogram[.]com
• icloudnt[.]cn
• icloudrv[.]cn
• icloudto[.]cn
• mybilling-cloud2[.]com
• mycloud2-billing[.]com
• mycloud-id2[.]com
• paypal-inloggen[.]com

Interestingly, 18 of the malicious domains’ current registrant email addresses are also among the 822 email addresses in our initial dataset.

This additional finding suggests that some of the threat actors involved in the phishing activities verified last June 2020 may still be active. They left breadcrumbs through WHOIS history, enabling us to track some of their footprints.

If you are a threat researcher or cybersecurity professional, please contact us for collaboration or access to the historical WHOIS records of the phishing domains in this study.